CLAIMS 

What is claimed is: 



11. A method of analysis of access list subsumption in routing devices of an actual or 

2 planned routed computer network, comprising: 

3 producing structured data in electronic memory which includes respective stored router 

4 names and respective stored access lists which respectively include elements with 

5 address/mask pairs, and wherein said structured data associates respective access 

6 lists with respective router names; 

7 determining whether respective access lists in the structured data include two or more 
jjjj 8 elements in which a first element in the access list has a more general or equal 
H9 address/mask pair than a second element in the access list, wherein the respective 

q|0 access lists are structured such that the first element is encountered prior to the 

O 

yfil second element during typical processing of the respective access lists; and 

a ■ 

CB2 storing in electronic memory a report of access list elements in which a first element in 

ru 

H?3 the access list has a more general or equal address/mask pair than a second 

ru 

6p4 element in the access list. 

PCs 

sy 

1 2. The method of claim 1 wherein one or more of the respective stored access lists are 

2 respectively related to input packets and one or more of the respective stored access lists 

3 are respectively related to output packets and wherein the step of producing structured 

4 data is based at least in part on the respective stored access lists. 

1 3. The method of claim 1 wherein each of the respective stored access lists is related to a 

2 respective level three protocol and wherein the step of producing structured data is based 

3 at least in part on the respective stored access lists. 
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1 4. The method of claim 3 wherein the respective level three protocol is one from a group 

2 consisting of DP, IPX, and AppleTalk and wherein the step of producing structured data is 

3 based at least in part on the respective stored access lists. 

15. A method of identifying network integrity violations in a computer network, comprising: 

2 producing structured data in electronic memory which includes respective stored router 

3 names and respective stored access lists which respectively include patterns used 

4 to filter data into and out of a routing device, and wherein said structured data 

5 associates respective access lists with respective router names; 

6 determining whether respective access lists in the structured data include a subsumption 
§7 relation in which a first pattern is more general than or equal to a second pattern, 
^8 wherein the respective access lists are structured such that the first pattern is 

g9 encountered prior to the second pattern during typical processing of the respective 

2 10 access lists; and 

O 

ft|l storing in electronic memory a list of subsumption relations identifying respective pairs 



of first and second patterns. 

s 

1 y l 6. The method of claim 5 wherein one or more of the respective stored access lists are 

2 respectively related to input packets and one or more of the respective stored access lists 

3 are respectively related to output packets and wherein the step of producing structured 

4 data is based at least in part on the respective stored access lists. 

1 7. The method of claim 5 wherein each of the respective stored access lists is related to a 

2 respective level three protocol and wherein the step of producing structured data is based 

3 at least in part on the respective stored access lists. 
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8. The method of claim 7 wherein the respective level three protocol is one from a group 
consisting of IP, IPX, and AppleTalk and wherein the step of producing structured data is 
based at least in part on the respective stored access lists. 

9. A computer-readable medium carrying one or more sequences of instructions for 
analyzing access list subsumption in routing devices of an actual or planned routed 
computer network, which instructions, when executed by one or more processors, cause 
the one or more processors to carry out the steps of: 

producing structured data in electronic memory which includes respective stored router - 
names and respective stored access lists which respectively include elements with 
address/mask pairs, and wherein said structured data associates respective access 
lists with respective router names; 

determining whether respective access lists in the structured data include two or more 
elements in which a first element in the access list has a more general or equal 
address/mask pair than a second element in the access list, wherein the respective 
access lists are structured such that the first element is encountered prior to the 
second element during typical processing of the respective access lists; and 

storing in electronic memory a report of access list elements in which a first element in 
the access list has a more general or equal address/mask pair than a second 
element in the access list. 

10. The computer-readable medium of claim 9 wherein one or more of the respective stored 
access lists are respectively related to input packets and one or more of the respective 
stored access lists are respectively related to output packets and wherein the instructions 
cause the one or more processors to carry out the step of producing structured data based 
at least in part on the respective stored access lists. 

-109- 
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1 11. The computer-readable medium of claim 9 wherein each of the respective stored access 

2 lists is related to a respective level three protocol and wherein the instructions cause the 

3 one or more processors to carry out the step of producing structured data based at least in 

4 part on the respective stored access lists. 

1 12. The computer-readable medium of claim 1 1 wherein the respective level three protocol is 

2 one from a group consisting of IP, IPX, and AppleTalk and wherein the instructions 

3 cause the one or more processors to carry out the step of producing structured data based 

4 at least in part on the respective stored.access .lists, 

m 1 13. A computer-readable medium carrying one or more sequences of instructions for 

p 

q2 identifying network integrity violations in a computer network, which instructions, when 

^3 executed by one or more processors, cause the one or more processors to carry out the 

£34 steps of: 

a 5 producing structured data in electronic memory which includes respective stored router 

s 

fU6 names and respective stored access lists which respectively include patterns used 

P*7 to filter data into and out of a routing device, and wherein said structured data 

^ associates respective access lists with respective router names; 

9 determining whether respective access lists in the structured data include a subsumption 

10 relation in which a first pattern is more general than or equal to a second pattern, 

1 1 wherein the respective access lists are structured such that the first pattern is 

12 encountered prior to the second pattern during typical processing of the respective 

13 access lists; and 

14 storing in electronic memory a list of subsumption relations identifying respective pairs 

1 5 of first and second patterns. 
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1 14. The computer-readable medium of claim 13 wherein one or more of the respective stored 

2 access lists are respectively related to input packets and one or more of the respective 

3 stored access lists are respectively related to output packets and wherein the instructions 

4 cause the one or more processors to carry out the step of producing structured data based 

5 at least in part on the respective stored access lists. 

1 15. The computer-readable medium of claim 13 wherein each of the respective stored access 

2 lists is related to a respective level three protocol and wherein the instructions cause the 

3 one or more processors to carry out the step of producing structured data based at least in 

4 part on the respective stored access lists. 

Q 

flQ 16. The computer-readable medium of claim 15 wherein the respective level three protocol is 

Sj 

if* one from a group consisting of IP, IPX, and AppleTalk and wherein the instructions 

Q cause the one or more processors to carry out the step of producing structured data based 
at least in part on the respective stored access lists. 

Q 

Ri 

|i 17. An apparatus for analyzing access list subsumption in routing devices of an actual or 

ru 

(2j planned routed computer network, comprising: 

ru 

3 means for producing structured data in electronic memory which includes respective 

4 stored router names and respective stored access lists which respectively include 

5 elements with address/mask pairs, and wherein said structured data associates 

6 respective access lists with respective router names; 

7 means for determining whether respective access lists in the structured data include two 

8 or more elements in which a first element in the access list has a more general or 

9 equal address/mask pair than a second element in the access list, wherein the 
10 respective access lists are structured such that the first element is encountered 
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1 1 prior to the second element during typical processing of the respective access 

12 lists; and 

13 means for storing in electronic memory a report of access list elements in which a first 

14 element in the access list has a more general or equal address/mask pair than a 

15 second element in the access list. 

1 18. An apparatus for identifying network integrity violations in a computer network, 

2 comprising: 

3 means for producing structured data in electronic memory which includes respective 

4 stored router names and respective stored access lists which respectively include 
b 5| patterns used to filter data into and out of a routing device, and wherein said 

l>t structured data associates respective access lists with respective router names; 

i 

gj means for determining whether respective access lists in the structured data include a 
fh subsumption relation in which a first pattern is more general than or equal to a 

s 

gj second pattern, wherein the respective access lists are structured such that the first 

fy 

18* pattern is encountered prior to the second pattern during typical processing of the 

1© respective access lists; and 

ru 

12 means for storing in electronic memory a list of subsumption relations identifying 

13 respective pairs of first and second patterns. 

1 19. An apparatus for analyzing access list subsumption in routing devices of an actual or 

2 planned routed computer network, comprising: 

3 a network interface coupled to the routed computer network for receiving one or more 

4 packet flows therefrom; 

5 a processor; 



50325-0630 (Seq. No. 5345) 



-112- 



6 one or more stored sequences of instructions which, when executed by the processor, 

7 cause the processor to carry out the steps of: 

8 producing structured data in electronic memory which includes respective stored 

9 router names and respective stored access lists which respectively include 

10 elements with address/mask pairs, and wherein said structured data 

1 1 associates respective access lists with respective router names; 

12 determining whether respective access lists in the structured data include two or 

13 more elements in which a first element in the access list has a more 

14 general or equal address/mask pair than a second element in the access 
1^ list, wherein the respective access lists are structured such that the first 

fee? 

IK element is encountered prior to the second element during typical 

lj processing of the respective access lists; and 

ljSj storing in electronic memory a report of access list elements in which a first 

a 

1q element in the access list has a more general or equal address/mask pair 

m 

2£k than a second element in the access list. 

jfj 20. An apparatus for identifying network integrity violations in a computer network, 

2 comprising: 

3 a network interface coupled to the routed computer network for receiving one or more 

4 packet flows therefrom; 

5 a processor; 

6 one or more stored sequences of instructions which, when executed by the processor, 

7 cause the processor to carry out the steps of: 

8 producing structured data in electronic memory which includes respective stored router 

9 names and respective stored access lists which respectively include patterns used 
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10 to filter data into and out of a routing device, and wherein said structured data 

1 1 associates respective access lists with respective router names; 

12 determining whether respective access lists in the structured data include a subsumption 

13 relation in which a first pattern is more general than or equal to a second pattern, 

14 wherein the respective access lists are structured such that the first pattern is 

15 encountered prior to the second pattern during typical processing of the respective 

16 access lists; and 

17 storing in electronic memory a list of subsumption relations identifying respective 

1 8 pairs of first and second patterns. 



M 
4= 

m 
m 

a 

o 
m 

N= 

m 

Q 
ry 



50325-0630 (Seq. No. 5345) 



-114- 



